Skip to content

Remove werkzeug upperbound #3095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
marcstern14 wants to merge 2 commits into from
Closed

Remove werkzeug upperbound #3095

marcstern14 wants to merge 2 commits into from

Conversation

@marcstern14
Copy link

@marcstern14 marcstern14 commented Nov 27, 2024
edited
Loading

werkzeug>=3.1 is compatible within the set flask boundaries. Removing the boundaries for werkzeug would allow for more flexible installations on deployed apps without triggering vulnerabilities.

@marcstern14
Remove werkzeug upperbound
4495b22 
`werkzeug>=3.1` is compatible within the set flask boundaries. Removing the boundaries for `werkzeug` would allow for more flexible installations on deployed apps without triggering vulernabilities.
@ndrezn
Copy link
Member

ndrezn commented Nov 27, 2024

We've had a few issues in the past with backwards incompatibilities in werkzeug causing issues in Dash (#1992) which led to the pin.

Could you open a ticket requesting that we release the upper bound for discussion? Want to make sure we get this right if we decide to change the dependency on werkzeug.

@marcstern14
add werkzeug lower bound
5511f4b 
Add a `werkzeug` lower bound to ensure this vulnerability is not triggered: https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-8309092
@marcstern14
Copy link
Author

marcstern14 commented Nov 27, 2024
edited
Loading

Yes will do! Thanks @ndrezn

edit: see issue here

@marcstern14 marcstern14 mentioned this pull request Nov 27, 2024
Closed
@gvwilson gvwilson added P2 considered for next cycle fix fixes something broken dependencies Pull requests that update a dependency file labels Dec 3, 2024
@gvwilson
Copy link
Contributor

gvwilson commented Jun 26, 2025

should be fixed in Dash 3.1.0 - thanks

@gvwilson gvwilson closed this Jun 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexcjohnson alexcjohnson Awaiting requested review from alexcjohnson

@T4rk1n T4rk1n Awaiting requested review from T4rk1n T4rk1n is a code owner

@ndrezn ndrezn Awaiting requested review from ndrezn ndrezn is a code owner

@gvwilson gvwilson Awaiting requested review from gvwilson

@emilykl emilykl Awaiting requested review from emilykl emilykl is a code owner

Assignees

@T4rk1n T4rk1n

Labels

dependencies Pull requests that update a dependency file fix fixes something broken P2 considered for next cycle

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marcstern14 @ndrezn @gvwilson @T4rk1n